[tor-bugs] #5236 [Tor bundles/installation]: Make a deb of the Torbrowser and add to repository
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Feb 18 04:05:22 UTC 2013
#5236: Make a deb of the Torbrowser and add to repository
--------------------------------------+-------------------------------------
Reporter: cypherpunks | Owner:
Type: enhancement | Status: needs_information
Priority: normal | Milestone:
Component: Tor bundles/installation | Version:
Keywords: | Parent:
Points: | Actualpoints:
--------------------------------------+-------------------------------------
Comment(by micahlee):
I have a working (and pretty polished) first version of Tor Browser
Launcher. The code is all here: https://github.com/micahflee/torbrowser-
launcher
Here are screenshots, and descriptions of each step:
http://imgur.com/a/Mvpwl
Here's how it works:
~/.torbrowser/download/ -- where TBB .tar.gz and their signatures get
downloaded to
~/.torbrowser/gpgtmp/ -- a directory to temporarily use to verify TBB
signatures
~/.torbrowser/tbb/ARCHITECTURE/tor-browser_LANGUAGE/ -- where TBB gets
extracted to
When you run, if TBB isn't installed it downloads the .tar.gz and the
.tar.gz.asc and verifies the signature. If the signature is good, it
extracts and then runs. If the signature is bad, it displays an error with
the option to re-download.
If TBB is installed, it just runs it.
If TBB is out of date, it pops up an interface to download the update,
then verifies it, extracts it, and runs it. It extracts it over the old
TBB directory, so bookmarks get preserved.
Getting TBB by apt-get installing torbrowser-launcher will be a more
secure way of install TBB also, since it verifies the signature. My guess
is barely anyone manually verifies the signature.
I think this could get accepted into Debian.
Right now, Tor Browser Launcher knows what version the current version is
because it's hard-coded in the source code. That means each time a new
version comes up, I'll need to update Tor Browser Launcher with the new
current version, and there will be a gap between the time that TBB gets
released and the updated package lands in Debian. That isn't good.
I have an idea for how to fix it, but it will require the TBB maintainers
to update a file at torproject.org that states the current version and
maybe a timestamp. It could be something like
https://www.torproject.org/download/current_version, and possibly also a
signature of that file.
If this could happen, then Tor Browser Launcher wouldn't need constant
maintenance. It could just check for the current version each time it
starts. Of course, the request that checks for the current version
wouldn't go over Tor.
But if there were a consistent way to check for the current version it
would be possible to actually download updates over Tor without requiring
an extra tor dependency. I could write a Tor Browser Launcher Firefox
extension. After extracting the tarball, I can install the extension into
the Firefox profile. All it will do is, as soon as you launch TBB, check
to see if there are updates available (over Tor). If there are, it can
popup an update dialog. Then, this extension can download the new .tar.gz
and .tar.gz.asc files, put them in ~/.torbrowser/download, and then ask
you to restart. After restarting, the launcher could verify the signature,
extract, and run the new version.
Do you think this current version file is something Tor Project could
maintain?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5236#comment:32>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list